Description
Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome versions earlier than 149.0.7827.53 contain a use‑after‑free vulnerability in the WebRTC component. The flaw allows a remote attacker to deliver a specially crafted HTML page that can trigger the memory corruption, enabling execution of arbitrary code inside the browser sandbox. This is a classic CWE‑416 flaw.

Affected Systems

All installations of Google Chrome running any build older than 149.0.7827.53 are affected, including stable channel releases. Users with those versions remain at risk until they apply the update.

Risk and Exploitability

The vulnerability is exploitable by presenting a crafted HTML page to a user who opens it in Chrome. Attackers could host such pages or embed them in malicious links. The CVSS score is 8.8, indicating a high severity level. No EPSS score is provided and the bug is not listed in CISA KEV, so exploitation likelihood is not quantified. The Chromium security severity is marked high.

Generated by OpenCVE AI on June 5, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later to eliminate the use‑after‑free flaw
  • Configure Chrome to enable automatic updates to ensure the patch is applied promptly
  • If an update cannot be applied immediately, consider disabling WebRTC via browser policy or an extension to prevent the vulnerable code path from executing

Generated by OpenCVE AI on June 5, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome WebRTC Enables Remote Code Execution

Fri, 05 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:31:57.074Z

Reserved: 2026-06-04T17:06:12.855Z

Link: CVE-2026-10947

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:09.270Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:16:57.360

Modified: 2026-06-05T15:02:34.977

Link: CVE-2026-10947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:15:33Z

Weaknesses